The Authorization Code string size is left undefined by this specification. The client should avoid making assumptions about code value sizes. The Authorization ServerSHOULD document the size of any value it issues.